bottom line:
DNS' RFC notes that DNS queries over UDP are limited to 512 bytes. Does anybody know if this is enforced by major corporate firewalls?

long story:
My company develops a product that should communicate between data centers. Since the typical user of this product (performance engineer) would not have access to firewall's settings, we would like to develop a method that bypasses firewalls with good rates of success. We thought of tunneling the application data over DNS TXT queries, since it seems that (within the WAN) firewalls tend to let DNS queries pass by. However, we are not very knowledgeable about common firewall behavior and would like some help. Specifically, we are wondering whether the big-brand firewalls block DNS queries over UDP that are longer than 512 bytes.

6 Answers
6

No, firewalls don't habitually drop big DNS queries like that, as far as I'm aware. What you want to look at for your problem is existing implementations of IP over DNS, such as dns2tcp, nstx, or iodine. They'll show you exactly how it can be done.

If you're talking about real, proper, enterprise firewalls you're probably OK, although Cisco PIXes tend to come with a default setting that does limit packets to 512 bytes.

If on the other you're talking about low end firewalls, SOHO routers, etc, you're quite likely to come unstuck.

For a full treatise on these issues with low end kit see RFC 5625 and ICANN SSAC report SAC035. Obligatory disclaimer - I wrote these documents. DNS packet truncation is something of a speciality of mine...

What's far more likely is people thinking DNS is UDP only, and ignore that TCP is required not optional. We often have to run public DNS servers behind others firewalls and making them understand that we need TCP not just open to us but the world is a pain.

There is an extension to the RFC known as EDNS0, which implements the ability to extend DNS messages beyond 512 bytes on UDP transports. Historically some firewalls have been known to block the use of this extension. For instance some older PIX and ASA firmwares will drop by default as exampled here.

Chances are that most firewalls out there today don't exhibit this behaviour. But there's no guarantee that you won't walk into one out in the wild. There is also a chance that any deep packet inspection of your traffic could result it in being blocked as an anomaly.

Furthermore you should bear in mind (if you haven't already) that by using UDP you will have to build transmission control into your application layer, rather than relying on the transport (namely TCP) to provide it. Be sure to follow womble's advice about observing existing DNS tunnelling implementations.